Disable container privilege escalation.

Per Azure best practice, disable a container's ability to escalate its
privileges.

https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources
This commit is contained in:
dandds 2020-01-28 14:10:55 -05:00
parent e1ff093651
commit b630433aa8
3 changed files with 12 additions and 0 deletions

View File

@ -29,6 +29,8 @@ spec:
containers:
- name: atst
image: $CONTAINER_IMAGE
securityContext:
allowPrivilegeEscalation: false
env:
- name: UWSGI_PROCESSES
value: "2"
@ -64,6 +66,8 @@ spec:
cpu: 940m
- name: nginx
image: nginx:alpine
securityContext:
allowPrivilegeEscalation: false
ports:
- containerPort: 8342
name: main-upgrade
@ -189,6 +193,8 @@ spec:
containers:
- name: atst-worker
image: $CONTAINER_IMAGE
securityContext:
allowPrivilegeEscalation: false
args:
[
"/opt/atat/atst/.venv/bin/python",
@ -261,6 +267,8 @@ spec:
containers:
- name: atst-beat
image: $CONTAINER_IMAGE
securityContext:
allowPrivilegeEscalation: false
args:
[
"/opt/atat/atst/.venv/bin/python",

View File

@ -20,6 +20,8 @@ spec:
containers:
- name: crls
image: $CONTAINER_IMAGE
securityContext:
allowPrivilegeEscalation: false
command: [
"/bin/sh", "-c"
]

View File

@ -16,6 +16,8 @@ spec:
containers:
- name: migration
image: $CONTAINER_IMAGE
securityContext:
allowPrivilegeEscalation: false
command: [
"/bin/sh", "-c"
]